Bug#1054164: libowasp-antisamy-java: CVE-2023-43643
Salvatore Bonaccorso
carnil at debian.org
Wed Oct 18 14:32:17 BST 2023
Source: libowasp-antisamy-java
Version: 1.5.3+dfsg-1.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libowasp-antisamy-java.
Note: The severity is set to RC, though 'important' would better fit.
It looks that in each supported version in Debian we are still at
1.5.3. Is the library still maintained within Debian?
CVE-2023-43643[0]:
| AntiSamy is a library for performing fast, configurable cleansing of
| HTML coming from untrusted sources. Prior to version 1.7.4, there is
| a potential for a mutation XSS (mXSS) vulnerability in AntiSamy
| caused by flawed parsing of the HTML being sanitized. To be subject
| to this vulnerability the `preserveComments` directive must be
| enabled in your policy file and also allow for certain tags at the
| same time. As a result, certain crafty inputs can result in elements
| in comment tags being interpreted as executable when using
| AntiSamy's sanitized output. This issue has been patched in AntiSamy
| 1.7.4 and later.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-43643
https://www.cve.org/CVERecord?id=CVE-2023-43643
[1] https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2
[2] https://github.com/nahsra/antisamy/commit/05c52b98bb845b8175b8406bd2f391ce334a05d6
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list